Comments on the draft Guidelines 10/2020 of the European Data Protection Board 


This paper exclusively reflects the views of its author. 


On 7 September 2020, the European Data Protection Board published its draft Guidelines 
17/20201 “on restrictions under Article 23 GDPR” (hereinafter referred to as Draft Guidelines 
or Draft). 


The Draft Guidelines “seek to provide guidance as to the application of Article 23 GDPR” 
(paragraph 1) but—in addition to their little added value—it is not clear who are (can be) the 
addressee(s) of such guidelines. 


1. Has the EDPB authority to issue such guidelines? 


According to Article 70(1)(e)—on which these Guidelines are based—the EDPB “shall ensure 
the consistent application of this Regulation. To that end, the Board shall ... in particular: (e) 
examine ... any question covering the application of this Regulation and issue guidelines, 
recommendations and best practices in order to encourage consistent application of this 
Regulation” (emphasises added). 


In my view, the addressee of Article 23 is the legislator [the Union and/or Member States 
legislator(s)], and Article 23 concerns the enactment of (necessarily to-be) rules (that derogate 
from the rules of the GDPR) rather than the application of the existing rules of the GDPR. 


Further, Article 23 contains provisions that normally should be in the “constitutional basis” of 
the GDPR, i.e. in the Charter of Fundamental Rights of the European Union. In other words, 
Article 23 is about constitutional requirements that legislators must take into account when 
regulating data processing (cf. “Union or Member State law ... may restrict by way of a 
legislative measure”). Therefore, assessing compliance with Article 23 is reserved for the 
bodies that have the authority to check the legality (in this context: constitutionality) of the 
legislative measures that fall under Article 23, namely the Court of Justice of the European 
Union and the constitutional courts (or other constitutional bodies) of the Member States, but 
not the EDPB. The said bodies are not bound by the guidelines of the EDPB and may take 
divergent positions on the interpretation of Article 23; this fundamentally questions the right 
of the EDPB to issue such guidelines. 


The EDPB is not an advisor of any Member State legislator, this right is reserved for the 
respective supervisory authorities as clearly declared in Article 57(1)(c) together with that this 
task is to be carried out in accordance with Member State law: the supervisory authority 
“advise[s], in accordance with Member State law, the national parliament, the government, 
and other institutions and bodies on legislative and administrative measures relating to the 
protection of natural persons' rights and freedoms with regard to processing”. Similar task 
cannot be found in the GDPR for the EDPB. 


1 See at the following link 
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202010_article23_en.pdf 


Another thing that is also worrying form the perspective of national constitutional systems is 
paragraph 78 of the draft Guidelines: “Furthermore, where the legislatives measures imposing 
restrictions under Article 23 GDPR do not comply with the GDPR, in accordance with Article 
58(5) GDPR and where appropriate, SAs shall have the power to bring infringements of this 
Regulation to the attention of the judicial authorities to commence or engage otherwise in 
legal proceedings, in order to enforce the provisions of the GDPR.” Since the “measures” 
mentioned in this paragraph are legislative measures [cf. Article 23(1)], reference to Article 
58(5) means that the EDPB effectively creates authority for supervisory authorities to 
challenge the constitutionality of legislative measures of the Member State legislator even in 
cases where a supervisory authority is not vested with such authority “in accordance with 
Member State law”. 


The national provisions on codification hardly get on with the requirements that the EDPB 
imposed in paragraphs 43, 45, 46, 60 or 61, for example. The EDPB cannot oblige the national 
legislator in any way. 


Therefore, as a first step, the EDPB should thoroughly reconsider if it really has authority to 
issue such guidelines under Article 70(1)(e). 


2. Other remarks 


Even if we set aside the aforementioned concerns, there are lot of conceptual problems in the 
draft Guidelines. 


a) Insome paragraphs, the Guidelines, seemingly, forget that the restrictions based on Article 
23 are legislative measures, i.e. legal provisions in the applicable (sectoral) law. It is unrealistic 
to oblige the data controller to “document the restrictions ... includ[ing] the applicable reasons 
for the restrictions, which grounds among those listed in Article 23(1) GDPR apply” (paragraph 
66). It is enough if the data controller can denote the applied national legal provision. 


b) Further, it should be the DPO that should be aware of the current legal situation (and any 
change thereto) and the DPO should inform the personnel of the data controller of any 
changes [cf. Article 37(5), Article 39(1)(a) and (b)] instead of the opposite as described in 
paragraph 67. 


c) Since legal provisions, normally, do not have retrospective effect, it is quite difficult to 
understand what the EDPB thinks how the implementation of paragraph 73 would be: is the 
controller obliged to inform each and every data subject of the change of the legislation or is 
it enough if the controller makes public an updated privacy notice? Which point in Article 13 
or 14 obliges the controller to do so? It is also unrealistic that data controllers should 
periodically review a given decision on restrictions (paragraph 55): data subject rights (Articles 
15 to 22) can be exercised upon the data subject’s request not ex officio, therefore — until the 
legal provision is in force — the controller is not obliged to reconsider its decision if that is final. 
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In sum, the Draft Guidelines have serious deficiencies, and should be thoroughly reconsidered. 


Zsolt Bártfai 


